Share this story

Oracle has added new features to Java designed to make it harder for hacked or malicious websites to carry out drive-by malware attacks that exploit underlying vulnerabilities in the widely used software framework.

As Ars reported Wednesday, some security experts say the growing prevalence of attack code exploiting flaws that will never be fixed in an older, widely used version is one factor causing the security of Java to take a dangerous turn for the worse. That's largely the result of Oracle's move in April to stop issuing security updates for Java version 6. Many large companies still use the older release because their Java apps don't work on the latest one, putting the enterprises in the difficult position of choosing compatibility over the security of their employee desktop computers. Apple, Facebook, and Twitter are just some of the companies that have experienced breaches in the past year that targeted Java running on employee computers.

A new feature in Java 7 Update 40 is aimed at ameliorating this predicament. It's a change to the local security policy that allows large customers to specify a limited number of apps that will run on older versions of Java. Now known as a deployment rule set, the new instructions use a digitally signed certificate to whitelist specific apps, often referred to as JARs or java archive files. Those not on the list will be dropped, or possibly run on the latest Java version.

"The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment," Java developers explained. "If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java."

The new feature will have little effect on home users. Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

Updated at add "in an older, widely used version" to the second paragraph.

Promoted Comments

Java is a great concept. The implementation leaves a bit to be desired.

However, I suspect that an even bigger issue is Oracle ending support for Java 6 less than two years after Java 7 was released. I think that some people who invested in custom developed software are going to be very hesitant to have it developed in Java next time around. Having to support bug fixes in your software is a pain. Having to to do a porting effort and extensive testing to move to a new Java version two years after developing to the latest version because Oracle refuses to continue providing their own bug fixes sounds like something that would result in major policy changes.

Many large companies still use the older release because their Java apps don't work on the latest one

This one should read

article wrote:

Many large companies still use the older release because they don't properly maintain their software with the latest versions of frameworks that they chose to utilize

Have you ever seen how long it takes large companies to approve a new version of a piece of software? I'm talking like a new version of Word, or Pidgin, or whatever.

Asking them to approve an entirely new framework, impacting untold numbers of applications? What crack are you smoking? We aren't talking software with minimal impact. In some cases, we're talking core applications, where downtime is measured in millions of dollars per unit time (which can be as little as seconds).

Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

There is nothing wrong with having the Java runtime installed. Simply removing Java browser plugins is more than enough to keep you safe from this string of vulnerabilities. Quit spreading FUD that you know nothing about Dan.

"keeping the Java runtime installed but uninstalling all Java browser plugins" <- right there it's an option!

But seriously, if someone doesn't need Java why should they have it installed? Otherwise, you end up with software that never gets upgraded.